2 Replies Latest reply: Jan 7, 2013 1:35 PM by anjhawar - oracle RSS

    How should i configure weblogic to act as ssl client?

      I am trying to do two way ssl communication. My server is deployed on one weblogic server and client on another. I have imported valid certificate at client side and trying to invoke webservice running on https. I have written simple servelet class which invoke webservice on https. I have set following properties in client code.

      System.setProperty("javax.net.ssl.keyStorePassword", "XXXXX");
      System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");

      When i compile and run stand alone simple client code through unix server it is running fine but when i deploy client on weblogic and hit thr url i am getting bad certificate exception.

      Client Side Error
      oled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.unwrap(ByteBuffer,ByteBuffer).
      javax.net.ssl.SSLException: Received fatal alert: bad_certificate
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
      at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1467)
      at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1435)
      at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1601)
      at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1031)
      at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:845)
      at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:721)
      at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
      at weblogic.security.SSL.jsseadapter.JaSSLEngine$4.run(JaSSLEngine.java:118)
      at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:732)
      at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:116)
      at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:93)
      at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:59)
      at weblogic.socket.JSSEFilterImpl.write(JSSEFilterImpl.java:391)
      at weblogic.socket.JSSESocket$JSSEOutputStream.write(JSSESocket.java:78)
      at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
      at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
      at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
      at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:162)
      at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:376)
      at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
      at java.net.URL.openStream(URL.java:1010)
      at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:842)
      at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:289)
      at com.sun.xml.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:138)
      at com.sun.xml.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:284)
      at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:246)
      at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:197)
      at com.sun.xml.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:187)
      at weblogic.wsee.jaxws.spi.WLSServiceDelegate.<init>(WLSServiceDelegate.java:84)
      at weblogic.wsee.jaxws.spi.WLSProvider$ServiceDelegate.<init>(WLSProvider.java:598)
      at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:120)
      at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:112)
      at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:83)
      at javax.xml.ws.Service.<init>(Service.java:56)
      at com.vodafone.main.TokenService.<init>(TokenService.java:49)
      at vodafone.TransactClient.getMessage(TransactClient.java:65)
      at vodafone.TransactClient.doGet(TransactClient.java:77)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
      at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
      at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
      at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
      at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183)
      at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3717)
      at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
      at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
      at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
      at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
      at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
      at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
      at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
      at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)

      Server Side Error
      [Raw read]: length = 5>
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <0000: 16 03 01 00 4D ....M
      [Raw read]: length = 77>
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <0000: 0B 00 00 03 00 00 00 10 00 00 42 00 40 49 59 42 ..........B.@IYB
      0010: 09 08 EF 92 70 2E E7 49 E6 73 00 B0 33 7C A9 F0 ....p..I.s..3...
      0020: 42 D1 3F F2 DA B9 80 FD 9E E8 15 21 C3 7E 42 A2 B.?........!..B.
      0030: CF 1A 20 A0 17 ED B3 D6 3B 5C 68 1E 49 06 97 65 .. .....;\h.I..e
      0040: 70 8A 40 03 C1 93 FB 3F A9 26 B6 E9 67 p.@....?.&..g
      ExecuteThread: '0' for queue: 'weblogic.socket.Muxer', READ: TLSv1 Handshake, length = 77>
      **<Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <*** Certificate chain>
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <***>**
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer', fatal error: 42: null cert chain
      javax.net.ssl.SSLHandshakeException: null cert chain>
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer', SEND TLSv1 ALERT: fatal, description = bad_certificate>
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer', WRITE: TLSv1 Alert, length = 2>
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer', fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain>
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer', called closeOutbound()>
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '0' for queue: 'weblogic.socket.Muxer', closeOutboundInternal()>
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <[Raw write]: length = 7>
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <0000: 15 03 01 00 02 02 2A ......*
      ExecuteThread: '2' for queue: 'weblogic.socket.Muxer', called closeOutbound()>
      <Dec 12, 2012 3:06:54 PM UTC> <Notice> <Stdout> <BEA-000000> <ExecuteThread: '2' for queue

      I am able to send client certificate when i run java code through unix box but not from weblogic. Can anybody plz help me with this? How should i configure weblogic to act as ssl client?

      Pooja kulkarni
        • 1. Re: How should i configure weblogic to act as ssl client?
          Hi Pooja,

          I guess you have configured 2 way SSL for a weblogic server wherein you have provided the Trust store in the configurations.

          So your Client is running on Weblogic_Server_A and is accessing the web service deployed on Weblogic_Server_B using https protocol.

          In that case you should import the certificates of the web service in to the trust store of Weblogic_Server_A and vice versa if the client code too is running on Weblogic.

          Ensure all the necessary certificates and their chains are imported.

          Also check the trust store, ideally your trust store should be cacerts provided with the jdk , so try configuring that too.

          ( Location of cacerts : jdk160_18\jre\lib\security )

          • 2. Re: How should i configure weblogic to act as ssl client?
            anjhawar - oracle
            You can enable DebugSecuritySSL on WLS server and set the log severity to "debug" and you would get some more insight on whats the issue WLS is facing and post which you can take necessary action.